Platform
docker
Component
webhood
Fixed in
0.9.2
CVE-2024-31218 is a critical vulnerability affecting Webhood, a self-hosted URL scanner, specifically versions 0.9.0 and earlier. This vulnerability allows an unauthenticated attacker to create an administrator account within the underlying Pocketbase database, granting them complete control over the system. The vulnerability stems from a lack of authentication checks when creating admin accounts in the Pocketbase API, and a fix is available in version 0.9.1.
The impact of CVE-2024-31218 is severe. Successful exploitation allows an attacker to gain full administrative access to the Webhood instance and its associated Pocketbase database. This includes the ability to modify, delete, and exfiltrate data scanned by Webhood, as well as potentially compromise the underlying infrastructure. Given Webhood's purpose of analyzing potentially malicious URLs, an attacker could leverage this access to inject malicious URLs into the system, effectively turning it into a phishing distribution platform. The lack of authentication makes this vulnerability particularly concerning, as no prior interaction with the system is required for exploitation.
CVE-2024-31218 was publicly disclosed on April 5, 2024. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the critical severity of the vulnerability suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the simplicity of the attack vector.
Exploit Status
EPSS
0.29% (52% percentile)
CVSS Vector
The primary mitigation for CVE-2024-31218 is to immediately upgrade Webhood to version 0.9.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /api/admin/users endpoint, specifically those originating from unauthenticated sources. Monitor Pocketbase database logs for suspicious activity, particularly account creation attempts. Review Webhood's deployment configuration to ensure that no default admin accounts are present and that appropriate security measures are in place. After upgrading, confirm the fix by attempting to access the Pocketbase admin API without authentication; access should be denied.
Update Webhood to version 0.9.1 or higher. Alternatively, you can block access to the `/api/admins` path in your web server configuration to mitigate the vulnerability if you cannot update immediately. This will prevent unauthorized creation of admin accounts.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-31218 is a critical vulnerability in Webhood versions ≤ 0.9.1 that allows unauthenticated attackers to create admin accounts in the Pocketbase database, granting full control.
Yes, if you are running Webhood version 0.9.0 or earlier, you are affected by this vulnerability. Upgrade to version 0.9.1 immediately.
The recommended fix is to upgrade Webhood to version 0.9.1 or later. As a temporary workaround, implement a WAF rule to block unauthorized access to the Pocketbase admin API.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Webhood GitHub repository for the latest security advisories and updates: [https://github.com/Webhoodio/Webhood](https://github.com/Webhoodio/Webhood)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Dockerfile file and we'll tell you instantly if you're affected.